$OpenBSD: patch-f_readold_c,v 1.1 2009/12/27 22:09:24 jasper Exp $

Security fix for CVE-2009-4227.
Xfig ".fig" File Parsing Buffer Overflow

Patch from RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=543905

--- f_readold.c.pat.orig	Thu Mar 29 02:23:14 2007
+++ f_readold.c	Sun Dec 27 23:07:04 2009
@@ -471,7 +471,7 @@ read_1_3_textobject(FILE *fp)
     F_text	   *t;
     int		    n;
     int		    dum;
-    char	    buf[128];
+    char	    buf[512];
     PR_SIZE	    tx_dim;
 
     if ((t = create_text()) == NULL)
@@ -485,22 +485,34 @@ read_1_3_textobject(FILE *fp)
     t->pen_style = -1;
     t->angle = 0.0;
     t->next = NULL;
+    if (!fgets(buf, sizeof(buf), fp)) {
+	file_msg("Incomplete text data");
+	free((char *) t);
+	return (NULL);
+    }
+
+    /* Note using strlen(buf) here will waste a few bytes, as the
+       various text attributes are counted into this length too. */
+    if ((t->cstring = new_string(strlen(buf))) == NULL)
+        return (NULL);
+
     /* ascent and length will be recalculated later */
-    n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
+    n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
 		&t->font, &dum, &dum, &t->ascent, &t->length,
-		&t->base_x, &t->base_y, buf);
+		&t->base_x, &t->base_y, t->cstring);
     if (n != 8) {
 	file_msg("Incomplete text data");
+	free(t->cstring);
 	free((char *) t);
 	return (NULL);
     }
-    if ((t->cstring = new_string(strlen(buf))) == NULL) {
+
+    if (!strlen(t->cstring)) {
+	free(t->cstring);
 	free((char *) t);
 	file_msg("Empty text string at line %d.", line_no);
 	return (NULL);
     }
-    /* put string in structure */
-    strcpy(t->cstring, buf);
 
     /* get the font struct */
     t->zoom = zoomscale;
